Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #15

April 16, 2003

More free resources:

To help you stay on top of security product developments, free
technical white papers from 22 vendor-sponsors of the current SANS
Security Tools Poster are available. The vendors often put a great
deal of quality technical work into these papers (but not always.) To
choose the papers you'd like, visit http://www.sans.org/tools.phpThis is a wonderful summer for giving your security skills a boost
and for getting moving on security skills certification. There are
large programs in Portland (OR), Monterey, Denver, and London.
And SANS' most popular summer conference is SANSFire in Washington
DC. SANSFire classes always fill up early and 300,000 brochures
will start arriving in mailboxes next week, so to get a place in
the class you want, we suggest you start choosing this week or next
week. Visit http://www.sans.org and click on SANSFire (or any of the
other programs) to see a brochure.

TOP OF THE NEWS

The most recent release of OpenBSD should eliminate buffer overflows, according to the group's project leader. The group took three approaches to hardening the software. First, the location of the stack in memory is randomized. Second, the team added a tag to the memory structure that will detect address modifications. Finally, they managed to divide the main memory into two sections: writeable and executable; the pieces of data and programs, called "pages", would be stored in one or the other section, ensuring that no page is writeable and executable at the same time. -http://news.com.com/2100-1002-996584.html[Editor's Note (Schultz): Many kudos are in order here. If what the OpenBSD people are doing really works, they will put considerable pressure on other vendors and developers to do the same. Buffer overflow problems continue to plague operating systems and applications. Eliminating this category of vulnerabilities would be a major victory for the information security arena. (Schneier): It's great to see this kind of approach to buffer overflows. This is an example of building in security instead of trying to patch it afterwards. (Ranum): It's GREAT to see that at least a few people are smart enough to try to attack problems like this systemically, rather than keeping stuck in the fruitless "penetrate and patch" while loop. This is how to make progress in security: fundamental protections. (Shpantzer): Initiatives like this should be taught as case studies in computer science courses at the undergraduate level.]

Judge Throws Out ACLU's Challenge to DMCA (9 April 2003)

US District Court Judge Richard Stearns has thrown out a lawsuit brought by the American Civil Liberties Union (ACLU) that challenged the Digital Millennium Copyright Act (DMCA). The suit was brought on behalf of a Harvard Law School student who wanted to reverse-engineer certain Internet content-filtering software. -http://www.washingtonpost.com/wp-dyn/articles/A331-2003Apr9.html

At a congressional hearing, former presidential cyber security advisor Richard Clarke spoke critically of the government's cyber security efforts, saying the Department of Homeland Security needs to move more quickly to organize the National Cyber Security Center and that the Office of Management and Budget (OMB) should hire a full time chief information security officer devoted solely to cybersecurity. Clarke also said that congress should fund vulnerability scanning sensors on all federal networks. Michael Vatis, director of Dartmouth College's Institute for Security Technology Studies (ISTS), largely agreed with Clarke and recommended that the Securities and Exchange Commission (SEC) require companies to include their cybersecurity measures on their reports to the SEC. The OMB's Mark Forman maintained that the DHS would address cybersecurity, that the CIOs of various agencies would be responsible, and wants market forces to drive cyber security implementation. -http://www.gcn.com/vol1_no1/daily-updates/21652-1.html-http://www.govexec.com/dailyfed/0403/040803td1.htm-http://www.computerworld.com/governmenttopics/government/ policy/story/0,10801,80183,00.html -http://www.washingtonpost.com/wp-dyn/articles/A55783-2003Apr8.html[Editor's Note (Northcutt): I tell intrusion detection students that for every dollar they spend on an IDS, they should plan to spend a matching dollar on disk space to hold the detects. Similarly, for every dollar you spend on a vulnerability scanner, plan to spend a thousand dollars on the staff to handle the remediation. I support Richard Clarke's advice, but the scanners just find problems. There is no substitute for the trained admins to fix the problems. Speaking of trained admins, the best unix instructor in the field, Hal Pomeranz, is running a hands on, SANS unix security course in Raleigh NC April 28 - May 3, 2003. This course was designed to fit the small class model and is your opportunity to learn in a class with a great instructor to student ratio: -http://www.sans.org/raleigh03/]************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) FOIL NETWORK ATTACKS BEFORE THEY'RE LAUNCHED! Automatically prevent
intrusions. FREE DEMO.
http://www.sans.org/cgi-bin/sanspromo/NB158(2) Learn how to Arm Yourself Against Network Attacks. Free Guide.
http://www.sans.org/cgi-bin/sanspromo/NB159(3) ALERT: How a Hacker Launches a SQL Injection Attack Step-by-Step-
White Paper
http://www.sans.org/cgi-bin/sanspromo/NB160***********************************************************************

THE REST OF THE WEEK'S NEWS

The Federal Reserve, the Office of the Comptroller of the Currency and the Securities and Exchange Commission have published a white paper outlining disaster recovery and business continuity guidelines for financial institutions. The guidelines include establishing a system that will allow for same day business recovery after a disaster; that time frame would ideally be reduced to two hours after a disaster. Many companies balked at an earlier proposal that suggested a minimum distance of 200-300 miles between primary and secondary data centers; the paper does not establish a minimum distance for back-up facilities. -http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,80262,00.html

Mueller Outlines FBI Budget Request (10 April 2003)

In his budget presentation to the U.S. Senate Commerce, Justice and State Appropriations Subcommittee, FBI director Robert Mueller said cybersecurity is the agency's third priority area. The budget request for the agency's Cyber Division for fiscal 2004 is $234 million; the figure includes the hiring of 77 new agents to work in combating cyber attacks and high tech crime. -http://www.govexec.com/dailyfed/0403/041003td2.htm

The final draft of the report to the U.S. Congress under the Government Information Security Reform Act (GISRA) includes metrics on federal computer system security. While only 40% of systems had current security plans in 2001, that figure increased to 61% in 2002. Systems with security certification and accreditation rose from 27% to 40%, and systems that had undergone risk assessments rose from 44% to 64%. Mark Forman, associate director for information technology and e-government at the Office of Management and Budget (OMB), says that while there has been improvement, the figures are not where they should be; the OMB's goal for this fiscal year is to have 80% of federal systems certified and accredited. -http://www.fcw.com/fcw/articles/2003/0407/web-gisra-04-10-03.asp

ISS Revises Cyber Incident Statistics for First Quarter of 2003 (8 April 2003)

Secure Operating Systems (8 April 2003)

Secure operating systems (OSes) are either hardened or trusted OSes. Hardened systems are aimed at keeping intruders out of the system altogether; network ports and services can be removed to lock systems down. Trusted systems allow only people with specific access rights to view and manipulate data. If intruders gain root access to a properly configured trusted system, they do not control the system. -http://www.newsfactor.com/perl/story/21212.html[Editor's Note (Grefer): A configured trusted system as described in the abstract would not have a traditional super user (root) account; rather, it would use role based access control (RBAC), therefore limiting rights to those necessary for any particular role. (Ranum): Trusted Operating systems are not news. They have been around since the early 80's - and didn't work then any better than they do now. ]

The Arkansas Democrat-Gazette received a letter containing the social security numbers of several Arkansas prison employees from someone claiming to be an inmate. The author of the letter alleges that prison authorities were lax in allowing inmates to have access to computers. A prison spokeswoman says the information would not have been available through the Internet, but could have been found on the prison's computer system. The incident is being investigated. -http://www.usatoday.com/tech/news/computersecurity/2003-04-08-inmate-hack_x.htm

Digital Defense Apologizes for Releasing Samba Exploit Along with Advisory (7/8 April 2003)

The Samba team has released a patch for a vulnerability discovered by the security company Digital Defense. The vulnerability could allow attackers to compromise Samba servers connected to the Internet. Because the vulnerability was already being actively exploited, the Samba team and Digital Defense decided to release their advisories before all the vendors had time to address the problem. Digital Defense's advisory also included code for exploiting the vulnerability, without managerial approval; the company has apologized. -http://news.com.com/2100-1002-995834.html-http://news.com.com/2100-1002-995939.html

GAO Report Finds ISACs are Not Sharing Much information (3 April 2003)

A General Accounting Office (GAO) review of the Information Sharing and Analysis Centers (ISACs) for the Telecommunications, Electricity, Information Technology, Energy and Water critical infrastructures found that the clearinghouses are not sharing much information with the government. Some ISACs will not share information with other ISACs; some will not let the National Infrastructure Protection Center (NIPC) access their libraries of reported incidents. Some claim they fear that the information they provide may become accessible to the public through the Freedom of Information Act (FOIA). -http://www.securityfocus.com/news/3690[Editor's Note (Schneier): May I say, "I told you so?" ]===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editors: Bruce Schneier and Hal Pomeranz
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/